- limitRelayState(m_log, application, httpRequest, returnloc);
- ret.second = httpResponse.sendRedirect(returnloc);
+ // Relative URLs get promoted, absolutes get validated.
+ if (*returnloc == '/') {
+ string loc(returnloc);
+ httpRequest.absolutize(loc);
+ ret.second = httpResponse.sendRedirect(loc.c_str());
+ }
+ else {
+ application.limitRedirect(httpRequest, returnloc);
+ ret.second = httpResponse.sendRedirect(returnloc);
+ }